VK Cloud logo
Support
Updated at March 19, 2024   02:14 PM

Setting up a VPN tunnel

Throughout this guide, an VK Cloud subnet will be connected with the client subnet via a VPN tunnel. This VPN tunnel will be built to another network of the VK Cloud platform, and a virtual machine will be used as a VPN endpoint. Several virtual machines will also be created to test the functionality of the tunnel.

The guide can be adapted to work with any other VPN endpoint, such as a corporate firewall or other network equipment.

1. Preparatory steps

  1. Make sure that OpenStack client is installed and authenticate to the project.

  2. Create networks.

    This network will act as the client network.

    When creating a network, set the following parameters:

    • Network name: clientNet.

    • Internet Access: Make sure this option is selected. It will allow you to assign public floating IP addresses to virtual machines on this network.

    • Router: Create new.

    • Subnet List: edit the only subnet in the list. Set the following parameters for the subnet:

      • Name: clientSubnet.
      • Address: 172.16.0.0/29.
      • Gateway: 172.16.0.1.
      • Enable DHCP: Make sure this option is selected.
      • DHCP IP address pool: 172.16.0.2 - 172.16.0.6.
      • Private DNS: Make sure this option is selected.

  3. Determine which routers have been created for these networks. This information will be needed when you configure the VPN further.

    It is further assumed that:

    • router router_1234 was created for the clientNet network;
    • router router_5678 was created for the vkcloudNet network.

  4. Determine the IP address of the SNAT interface for the router_5678 router:

    1. Open the page with the list of subnets for the vkcloudNet network.
    2. Click on the subnet name vkcloudSubnet.
    3. Click the Ports tab.
    4. Find the SNAT device port in the list of ports and copy its IP address.

  5. Create a virtual machine that will act as a VPN gateway on the clientNet client network, with the following settings:

    • Virtual machine name: client_vpn_gw.
    • Virtual machine type: STD2-1-2.
    • Number of machines in the configuration: one.
    • Operating system: Ubuntu 22.04.
    • Network: client network and corresponding clientNet: clientSubnet subnet.
    • Virtual Machine Key: The key that will be used to connect via SSH.
    • Firewall settings: everything is allowed (all).
    • Assign External IP: Make sure this option is selected.

    Select other parameters of the virtual machine at your discretion.

  6. Collect information necessary for further work. Further, it is assumed that:

    Object
    Value
    The public IP address of the router router_5678
    192.0.2.100
    IP address of the client_vpn_gw virtual machine on the clientSubnet subnet
    172.16.0.5
    Floating public IP address of the virtual machine client_vpn_gw
    192.0.2.200
    Client subnet from client VPN gateway client_vpn_gw
    172.16.0.0/29
    Cloud VPN Gateway Virtual Subnet
    10.0.0.0/29
    IP address of the SNAT port in the cloud subnet
    10.0.0.5

Example Infrastructure

2. Set up a VPN tunnel on the cloud side

Create a VPN with the following settings:

Select IKE Policy - New IKE Policy, and set:

  • Policy name: vkcloud-client-ike.
  • Key lifetime: 3600 seconds.
  • Authorization Algorithm: sha256.
  • Encryption algorithm: aes-256.
  • IKE version: v2.
  • Diffie-Hellman group: group14.

3. Set up a VPN tunnel on the side of the client network

  1. Disable IP Source Guard on the VPN gateway port so that it can forward any traffic:

    1. Find the port with the private IP address 172.16.0.5 of the virtual machine client_vpn_gw. Get the ID of this port.

    2. Allow traffic from any address through this port:

      openstack port set <port id> --allowed-address ip-address=0.0.0.0/0

  2. Connect to the client_vpn_gw virtual machine via SSH. All further actions must be performed on this virtual machine.

  3. Enable IP Forwarding so that the virtual machine can route traffic from the private network to the VPN tunnel:

    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.confsudo sysctl -p

  4. Install StrongSwan - An IPsec VPN Implementation for Linux:

    sudo apt updatesudo apt install -y strongswan libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

  5. Add VPN connection settings from the client network side to the /etc/ipsec.conf file. These settings are a mirror image of the tunnel settings made in the previous step.

    conn client-vkcloud-vpn   authby=secret   left=%defaultroute   leftid=192.0.2.200   leftsubnet=172.16.0.0/29   right=192.0.2.100   rightsubnet=10.0.0.0/29   ike=aes256-sha2_256-modp2048!   esp=aes256-sha2_256!   keyingtries=0   ikelifetime=3600   lifetime=8h   dpddelay=30   dpdtimeout=120   dpdaction=hold   auto=start

  6. Specify the shared key (PSK) in the /etc/ipsec.secrets file. The key must match the key specified previously:

    192.0.2.200 192.0.2.100 : PSK "<pre-shared key, specified previously>"

  7. Restart the StrongSwan service:

    sudo systemctl restart strongswan-starter

4. Add static routes

In order for traffic to pass through the VPN tunnel, you need to add static routes:

  1. Open the page with the list of subnets for the vkcloudNet network in your personal account.

  2. Expand the vkcloudSubnet subnet menu and select Edit Subnet.

  3. Make sure the Show static routes field option is selected.

  4. Enter a static route to the client network 172.16.0.0/29 in the field. As the next hop, you need to specify the IP address of the SNAT interface of the router router_5678 in the cloud subnet vkcloudSubnet.

    172.16.0.0/29 - 10.0.0.5

5. Check if the VPN tunnel is working

  1. View the status of the VPN tunnel from the VK Cloud platform.

    To do this, open the VPN page vkcloud-client-vpn in your personal account and go to the Tunnel Settings tab. The VPN must be in ACTIVE status.

  2. Create a firewall rule group icmp to allow ICMP traffic.

    In this group, create an inbound rule:

    • Type: ICMP.
    • Remote address: All IP addresses.

    This is necessary so that the test virtual machines can ping each other.

  3. Create two virtual machines:

    • clientVM:

      • in the network clientNet, subnet clientSubnet;
      • with a floating IP address to connect to it via SSH;
      • with firewall rule groups default, ssh, icmp.

    • vkcloudVM:

      • in the network vkcloudNet, subnet vkcloudSubnet;
      • with a floating IP address to connect to it via SSH;
      • with firewall rule groups default, ssh, icmp.

  4. Determine the private IP addresses of the virtual machines on the respective subnets. Let be:

    • clientVM has IP address 172.16.0.4;
    • vkcloudVM has IP address 10.0.0.4.

  5. Connect to the vkcloudVM virtual machine via SSH.

  6. Ping the clientVM virtual machine from the vkcloudVM virtual machine:

    ping 172.16.0.4

    The clientVM host must respond to the ping.

Delete unused resources

If you no longer need the created resources, delete them:

  1. Delete virtual machines.

  2. Delete VPN tunnel.

  3. Delete static routes defined on the side of the client network.

  4. Delete client and cloud network routers.

  5. Delete the client and cloud subnets and networks.

  6. Delete floating IP addresses.

Did not find your answer?Write to us

© 2024 VK Cloud
Privacy Policy